This is my first time in here, so hi to everyone, and sorry for my first post being to ask for help

I ama professional PHP developer and as such I can get by coding. What I'm not the best at is server admin.

I have a dedicated server which I use for clients, it got hacked a few months back via some little **** using an SQL injection attack on a site we had taken over from another company , stupidly we had not gone through and checked the code.

This meant we had to implement our hacking contingency plan, which includes nuking the server completely and rebuilding everything on it. (We had obviously backed everything up first so we could check logs/re-install sites afterwards)

We then re-installed our sites, and pored over the logs until we found the point-of-entry, which turned out to be an escalation of privileges attack. This was sorted out immediately and everything was scanned for other vulnerabilities. We also hardened up security by putting in place a script which searches for injection attempts and emails the admin when an injection attempt is detected.

This was months ago, we still get some 50-1000 of these emails a day, which is obviously a ridiculous situation to be in. Looking at the queries which are being run (they get emailed also), they're all very similar attacks (which fail BTW). My main concern now is that it can only be a matter of time before they discover another way in and we start all over again.

Is there a logical procedure to follow to stop what is obviously an automated and systematic attack on our server, or to track down the culprit (we think we may have already done so, but would like confirmation of this through other means.)

I agree with Krugger, Mod Security is a great Web Application Firewall if you have the resources to put it together. I think however you that emailing the sysadmin every time someone tries a SQL injection is a little overboard. I certainly wouldn't want an email every time someone port scanned me. You will never stop people performing SQL injection the only you can do is put controls in to protect against it, like Mod Security, code reviews, IPS and controls to detect it like good log management and analysis, IDS.

Another interesting thing you might be interested as a PHP developer and hoster is nginx + PHP-FPM.

When you start hosting applications that are poorly written or you don't have time to model the mod_security rules or the developers are constantly changing the parameters, you need something different. With PHP-FPM you will be able to have each virtual host running as a different user with its own php.ini and chroot.

So you assume the poorly written PHP sites will be compromised, but at least it will not compromise up the remaining ones. At least in theory, have to actually deploy the solution to get a better understanding of the benefits and problems.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forum

Featured Links*

Looking for more Windows Networking info?

Sign up to the WindowsNetworking.com Monthly Newsletter, written by Enterprise Security MVP Deb Shinder, containing news, the hottest tips, Networking links of the month and much more. Subscribe today and don't miss a thing!View a sample newsletter.